rohityadavcloud commented on a change in pull request #5879:
URL: https://github.com/apache/cloudstack/pull/5879#discussion_r789564879
##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -1110,6 +1183,39 @@ public UserAccount createUserAccount(final String
userName, final String passwor
return _userAccountDao.findById(userId);
}
+ /**
+ * if there is any permission under the requested role that is not
permitted for the caller, refuse
+ */
+ private void checkRoleEscalation(Account caller, Account requested) {
+ Long requestedRoleId = requested.getRoleId();
+ List<RolePermission> requestedPermissions =
roleService.findAllPermissionsBy(requestedRoleId);
+ for (String command : apiNameList) {
Review comment:
Could there be a simpler fix, that is the caller is only allowed to
select/pass roleids while creating account that is equal or lower than their
own role; for example;
root admin -> can do anything
domain admin -> create domain/sub-domain admins and user-accounts
user accounts -> none
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
